The Romanian Constitution[2878] adopted in 1991 recognizes under Title II (Fundamental Rights, Freedoms and Duties) the rights of privacy, inviolability of domicile, freedom of conscience and expression. Article 26 states, "(1) Public authorities shall respect and protect intimacy, family and private life. (2) Any natural person has the right to freely dispose of himself unless by this he causes an infringement upon the rights and freedoms of others, on public order or morals." Article 27 of the Constitution states, "(1) The domicile and the residence are inviolable. No one may enter or remain in the domicile or residence of a person without consent. (2) Derogation from provisions under paragraph (1) is permissible by law, in the following circumstances: for carrying into execution a warrant for arrest or a court sentence; to remove any danger against the life, physical integrity or assets of a person; to defend national security or public order; to prevent the spread of an epidemic. (3) Searches may be ordered only by a magistrate and carried out exclusively under observance of the legal procedure.(4) Searches at night time shall be prohibited, except in cases of flagrante delicto." Article 28 states, "Secrecy of the letters, telegrams and other postal communications, of telephone conversations and of any other legal means of communication is inviolable." According to Article 30, "(6) Freedom of expression shall not be prejudicial to the dignity, honour, privacy of person, and the right to one's own image."

In November 2001, the Parliament enacted Law No. 676/2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications
Sector [2879] and Law No. 677/2001 for the Protection of Persons concerning the Processing of Personal Data and the Free Circulation of Such
Data.[2880] These laws follow very closely the
European Union Telecommunications Privacy (1997/66/EC) and Data Protection (1995/46/EC)
Directives respectively.

Law No. 676/2001 provides for specific conditions under which privacy is protected with respect to the processing of personal data in the telecommunications sector. The law applies to the operators of public telecommunications networks and the providers of publicly available telecommunications services who, in the context of their activities, carry out processing of personal data. The regulatory authority established by Law No. 676/2001 was originally the Ministry of Communication and Information Technology, but it was changed by the Government Emergency Ordinance No. 79/2002 for the National Regulatory Authority for Communication
(NRAC).[2881] No specific department was created to take care of the application of Law 676/2001.

Law No. 677/2001 applies to the processing of personal data, made, totally or partially, through automatic means, as well as to the processing through means other than automatic, which are part of, or destined to, an evidence system.

The supervisory authority for Law No. 677/2001 is the Ombudsman (also called "The People's
Advocate").[2882] The Organizational and Functional Regulations of the Ombudsman were changed in order to provide the creation of a special Private Information Protection Office (PIPO), concerned with the protection of individuals in relation to private data processing. The Ombudsman adopted several orders in 2002 in order to apply Law No.
677/2001.[2883]. In 2003 the Ombudsman proposed a normative act establishing a notification fee; to that
effect, Law No. 476/2003 was adopted.[2884]

The specialized structure established for the implementation of the data
protection legislation is provided with 19 positions. The complaints are solved
according to Article 25 Law No. 677/2001. Pursuant to these provisions, the
complaint cannot be submitted to the supervisory authority earlier than 15 days
from the time a complaint is submitted that deals with the same problem to the
data controller. In order to solve the complaint, the supervisory authority may
listen to both the respective person and the data controller or, if applicable, the
person who represents the interests of the respective persons. If the complaint is
justified, the supervisory authority is empowered to order the temporary
interruption or ceasing of the data processing, the partial or total erasure of the
processed data, and may also notify the criminal bodies or bring a
lawsuit.[2885]

In 2003, the Ombudsman issued Order No. 6 of January 29, 2003 that establishes standard contractual clauses for the transfer of personal data to third countriesthat do not provide an adequate level of
protection.[2886]

According to the most recent Ombudsman Report, [2887] 266 operators registered
with the operator’s registry in 2003. They filed 308 notices, of which 29
concerned transfers of personal data abroad. The report states: "We find that
there is a small number of operators registered; it's mainly private law operators
that do not notify the fact that they process personal data, although the law has
been in force since March 2002." The small number of operators registered is due
to the fact that many data controllers have not yet declared that they process
personal data, despite the publicity measures taken by the Ombudsman. Data
protection legislation is very recent in Romania, and the Ombudsman lacks the
resources necessary to make a proper promotion of the legal requirements, which
explains why assessing the Ombudsman's competence as a data protection
supervisory authority is still faced with several hurdles.[2888]
As of end June 2004, there were 1,182 registered data controllers, either as natural persons or legal
persons, including central and local public authorities and institutions, as well as
private enterprises.[2889] In 2003 the Ombudsman only ordered four prior controls and eight
investigations, performed both at public and private operators.[2890] In 2004, three
investigations and three preliminary controls were carried out. In 2004, the
supervisory authority received four claims, most of them involving the sending of
unsolicited commercial messages (spam) by direct marketers.[2891]

In 2001, Law No. 682/2001 was enacted to ratify the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108).

In 2002, Law No. 365/2002 on Electronic Commerce[2892]
adopted the opt-in principle for unsolicited commercial e-mails
("spam")[2893]. In 2002, the National Audiovisual
Council [2894] issued regulations regarding privacy and television and radio programs in Decision No. 80 of August 13, 2002 Regarding the Protection of Human Dignity and the Right to Protect One's Own Image established a few privacy principles:. Article 6 states, "(1) Any person has a right to privacy, privacy of his family, his residence and correspondence. (2) The broadcasting of news, debates, inquiries or audio-visual reports on a person's private and family life is prohibited without that person's approval." According to Article 7, " It is forbidden to broadcast images of a person in his or her own home or any other private places without that person's approval; (2) It is forbidden to broadcast images of a private property, filmed from the inside, without its owner's approval."

The interception of telephone calls, the opening of correspondence and other similar actions are regulated by Law No. 51/1991 on National Security in Romania and Law No. 26/1994 on Police
Organization.[2895] Article 13 of Law No. 51/1991 allows the interception of calls in case of crimes against the state, only as a result of a mandate issued by the General Prosecutor of the Office related to the Supreme Court. The mandate has a duration of maximum six months with the possibility of being extended by up to three months by the General Prosecutor. According to Article 16 of the same law, the means to obtain information may not infringe citizens' fundamental rights and freedoms, i.e., their private life, honor or reputation, or to subject those rights and freedoms to legal restrictions. The citizens who consider that their rights have been infringed, can appeal to the Commissions of Human Rights of the 2 Chambers of the Parliament. According to Article 17 of Law No. 26/1994 that aims at preventing organized crime and serious infringements in the interest of a criminal investigation, the police can require the Prosecutor's Office to intercept calls and open correspondence pursuant to Law No. 51/1991.

In 1996 the Criminal Code was modified by Law No. 41/1996 that introduced a new section on the use of audio and video recordings for interception purposes. The section establishes the conditions under which video and audio recordings may be carried out, including the interception of telephone calls. Therefore, according to Article 91 of the Criminal Code, the recordings on magnetic tape can be used as evidence if the following conditions are complied with: there are reasons to believe that a crime has been, or is about to be, committed; the criminal deed related to which the recording is made is a crime investigated ex-officio; the use and efficiency in finding out the truth; the authority that carries out the wiretap has been properly authorized to do so. The authority competent to issue such an authorization is the prosecutor designated by the General Prosecutor of the Office related to the Court of Appeals. The authorization to wiretap is given for a period of up to
30 days. The authorization can only be extended for very substantiated reasons, and no longer than days.

The law also compels law enforcement authorities to report specific information about their wiretapping: the authorization given by the prosecutor, the number of the telephones between which the calls take place, the names of the people carrying out the conversations, and, if known, the date and time at which each communication took place, and the item number of the roll or tape on which the recording is made.

Similar provisions related to the recording of traffic data were introduced by the Law on Anti-Corruption No.
161/2003[2896] in order to prevent and combat cyber-crime. Romanian law does not provide for the retention of traffic data by Internet service providers (ISPs). The law provides that, only in emergency and properly motivated cases, law enforcement can expeditiously obtain the preservation of computer or traffic data if they could be destroyed or altered, and if there are good reasons to believe that a criminal offense by means of computer systems is being, or is about to be, committed, and for the purpose of gathering evidence or identifying the wrongdoers. During the criminal investigation, the preservation is undertaken by the prosecutor, pursuant to an appropriate ordinance and at the request of the investigative body or ex-officio, and during trial, by a court settlement. This ordinance is valid only for no longer than
90 days, and can be exceeded only once by a period not longer than
30 days.

Most of the cases involving invasion of privacy concerned the illegal interception of telephone calls. Several complaints were filed, especially by Opposition's
members.[2897] The president of the Senate Human Rights Commission recently
declared[2898] that a hearing of those people who complained on these kind of issues should take place in the Commission. The Foundation Horia Rusu organized a public debate on those issues on 14 April
2003.[2899] Two Opposition deputies presented a draft
law [2900] that would establish the conditions pursuant to which telephone calls could be intercepted so as to limit the intrusion into people's privacy. The draft provides that the warrant authorizing interception could be issued only by a judge and that, later on, the person wiretapped would have to be informed about the reasons of wiretapping. Other cases involved the invasion of privacy of several Romanian TV
stars.[2901]

Romania signed the Council of Europe Cybercrime Convention on November 23,2001, and ratified it by adopting Law No.
64/2004[2902]. Many provisions of this Convention, especially the definitions of the crimes, were incorporated into Title III (on Preventing and Fighting Cyber-Crime) of the Anti-Corruption Law No.
161/2003.[2903]

Additional laws deal with privacy issues, such as the Patient's Rights
Law [2904] or the Law on Combating and Preventing the Traffic of Human
Beings.[2905]

The Law regarding Free Access to Information of Public Interest was approved in October
2001,[2906] The law allows any person to ask for information from public authorities and state companies. The authorities must respond in maximum 30 days. There are exemptions for national security, public safety and public order, deliberations of authorities, personal data. Those whose requests have been denied can appeal to the agency concerned or to a court.

The 1999 Law on the Access to the Personal File and the Disclosure of the Securitate as a Political
Police[2907] allows Romanian citizens to access their Securitate (secret police) files. It also allows public access to the files of those aspiring for public office. The law sets up the National Council for the Search of Security Archives (CNSAS)
[2908] to administer the Securitate archives.

The Law on Protecting Classified Information was enacted in April 2002 at the behest of North Atlantic Treaty
Organization.[2909] Its drafters used an expansive view of classification that will limit access to records under the access to information law. The law was strongly criticized by the Opposition and the civil society.[2910]

In the draft of the new Penal Code,[2911] an article provides that the infringement
of a person's right to privacy by using remote means of interception to get data,
information, images or sounds from home or other similar private property
without its owner's consent or by breaking the law, is punished with an
imprisonment of two to five years. It is also prohibited to disseminate data,
information, images or sounds obtained in one of the ways set out in Paragraph 1
of Article 204. Some Romanian NGOs[2912] have requested the elimination of this
article, because, in its current wording, it limits the freedom of expression and the
debate of matters of public interest. The new version of the Penal
Code [2913] will enter into force on June 29, 2005. The former Article 204 is now replaced by
Article 209 that provides that it is not a crime to make a photo or to film a
building from public places." [2914]

A Government Decision No. 952 of August 14, 2003 [2915] calls for the
establishment of an Integrated Informational System (SII) The SII is a database
that will centralize the information held by all public institutions on natural and
legal persons. It may become the electronic arm of the Romanian Intelligence
Service (SRI). Both the Association for the Defense of Human Rights in
Romania – Helsinki Committee (APADOR-CH) and the media criticized this
decision by arguing that the Government Decision was not legal, and because of
the threats the decision raises for certain fundamental rights, especially the right
to privacy. [2916]

APADOR-CH filed an administrative complaint with the Government, based on
Article 5 of Law 29/1990 on administrative courts, pointing out that the decision
was illegal and violated the right to privacy, and requesting that the decision be
annulled/ withdrawn. [2917] The government rejected all objections. As a
consequence, the APADOR-CH as a legal entity, and two of its members as
individuals, filed a court complaint considering that the decision has seriously
infringed upon the subjective right to privacy of APADOR-CH's members (as
well as of all other people), a right guaranteed by Article 26 of the Constitution
and Article 8 of the European Convention of Human Rights. The court has taken
no decision yet.

[2883] Ombudsman Order No. 52 (April 18, 2002) for the approval of the minimum security measures for data processing laying at the basis of the operators adopting technical and organizational measures to guarantee a proper legal security level of data processing, Official Monitor, June 5, 2002; Ombudsman Order No. 53 (April 18, 2002) for the approval of standardized notification forms, Official Monitor, June 5, 2002; Ombudsman Order No. 54 (April 18, 2002) for the determination of situations requiring the notification of data processing that falls under Law No. 677/2001, Official Monitor, June 5, 2002; Ombudsman Order No. 75 (June 4, 2002) to establish specific measures and procedures to provide a satisfactory level of protection for data subjects, Official Monitor, June 26, 2002.

[2888] In 2002, the Ombudsman received 211 notifications of processing of personal data, 145 of which were
complete while 66 lacked some information. At the same time, 303 operators reported, out of which 11 declared
transfers of personal data abroad. One of them only managed to receive an authorization, where the others did
not meet the necessary conditions http://www.avp.ro/raporten.html

[2890] In a public statement the President of the Ombudsman, Ioan Muraru, declared that the designation of this
institution as the surveillance authority for personal data processing is against the purpose on this institutions
and asked the Parliament to transfer these tasks to other public institutions. He believes that such an institution
requires very specialized personnel and the Ombudsman does not and cannot have such structures. He asked for
a specialized Control Authority on Personal Data Processing. "Avocatul Poporului îsi declinã competentele
privind protectia datelor cu caracter personal" (The Ombudsman Declines Responsibilities on Personal Data
Protection) Azi, February 13, 2004, available at http://www.azi.ro/arhive/2004/02/13/social.htm#stirea2

[2910] See for more details: The Association for the Defense of Human Rights in Romania – The Helsinki
Committee (APADOR-CH). The Limits to Information in Romanian, available at
http://www.apador.org/limits.htm

[2914] "Practically, it may be considered a crime even if a journalist takes pictures of an official’s villa without
permission because the villa is inside the yard and taking pictures of whatever is inside the yard violates the
official’s right to privacy. Of course, not listing these deeds as crimes does not mean that privacy remains
unprotected, only that it has to be protected by civil, not criminal laws. If there is no political will to eliminate
this incrimination, the draft should at least be modified by introducing a provision to stipulate that the deed is
not a crime if it refers to aspects of private life impeaching over a person’s capacity to exercise a public
function." APADOR – CH Report on 2003 – available at
<http://www.apador.org/rapoarte/anuale/report2003.htm>.

[2916] APADOR-CH considers that the government resolution refers to a decision of the Supreme Defence
Council (CSAT), which could not be substituted to the Parliament's. APADOR-CH's representative Manuela
Stefanescu said: "We do not know to whom this integrated information system is subordinated; we do not know
to whom it is of use, and it is extremely dangerous to create a superpower, especially without the slightest
guarantee that the personal data will be protected. . . . Furthermore, natural and legal persons lack any means of
controlling the way in which the data centralized in this mammoth system will be used. . . .". Evenimentul zilei,
September 29, 2003, available at http://www.evz.ro/english/?news_id=132980